Ireland’s cyber security conference Dublin Info Sec 2016 took place last week. Expert speakers took to the stage and outlined the ever-more sophisticated cyber security challenges businesses and organisations are facing. Andy O’Kelly, chief architect at eir Business, gives a rundown of the main talking points from the afternoon session. You can find Andy’s rundown of the main talking points from the morning session here.
The afternoon session kicked off with Brian Honan illustrating the growing cyber challenge with Irish Reporting and Information Security Service (IRISS) stats for reports; there were around 6,500 reported incidents in Ireland in 2014 and that rose to 26,000 in the past year. Continuing the themes in the morning session, the main categories of incident have been CEO Fraud through targeted emails, DDoS extortion, and rampant ransomware. Around 74% of incidents appear to be organised crime related.
User Awareness training failing to engage
With user awareness so critical to any organisation’s defence, Honan offered a critique of why improvement efforts in this regard so frequently fail to deliver changes in behaviour. He believes most User Awareness training fails to engage and is either too boring, too unaligned to a user’s daily experience, or is written and delivered by IT folk in a language and style that has little impact outside its own immediate community (on a personal note, mea culpa). Often the focus is too much on ‘Compliance’, and considered a box-ticking exercise. As Rik Ferguson had stressed in the morning session, ‘Compliance’ should not be confused with ‘Security’ – the former being table-stakes, while the latter is doing the right things to protect your business, your customers and staff. Honan encouraged organisations to treat user awareness like a marketing campaign or a product launch to get the engagement it needs. He pointed out the importance of full participation throughout the organisation, and particularly at the top given the threat posed by CEO Fraud.
Analysing the human factor
Dr Mary Aiken followed with an eye-opening introduction to the topic of cyber-psychology and the ‘human technology interface’. Analysing human factors in any system is complex, and in the cyber domain certain behaviour is amplified by anonymity and dis-inhibition. Given the ubiquity of technology – from mobile devices to CCTV – Dr Aiken remarked that most crimes will now have some element of cyber evidence. While cybercrime scenes are investigated in a technical manner – analysing code and log evidence for instance – they can also be considered in terms of their sociological and psychological aspects. This affords a fuller assessment and a profiling of the perpetrator that will assist in actively predicting future behaviour. While the primary motivation of many actors is apparent – financial gain for the criminal, espionage and revenge for a nation state – when it comes to the insider threat, motivation is a lot more obscure and difficult to pin down. Using the Sony hack as a case study, Dr Aiken considered a disaffected insider as the more likely perpetrator than North Korea, with multiple leaks used to hide a grudge focussed on dumping emails that would personally damage a CEO.
My colleague Erik Slooten presented an insightful and candid view of how as CIO of eir he contends on a daily basis with the cybersecurity challenge. He emphasised from experience the key points raised by earlier speakers: the importance of realistic incident processes and recovery planning for dealing with the inevitable; the value of an external perspective and testing approach, given how difficult it is to be objective about your own work, no matter how good it is; the need to consider GDPR impacts on your business and to plan accordingly; evolving fundamental infrastructure protections like anti-DDoS; and ensuring governance extends to make sure third party suppliers and partners are equally robust and contractually managed. Slooten referenced eir’s awareness campaign ‘eir loves data’ – which considers all data, not just digital.
Wikileaks and whistle-blowers
The final session of the day saw Sarah Harrison of Wikileaks defending their editorial approach to publishing anonymously submitted material. Independent News and Media Business Editor Dearbhail McDonald robustly questioned Harrison on whether Wikileaks had been biased and naïve in publishing material damaging to Hillary Clinton in the recent presidential campaign without questioning ‘Why did the info come to me, and why now?’. Harrison responded that ultimately a contributor’s “motive doesn’t matter” once the material was true and identified wrong-doing. She asserted that while Wikileaks have never considered hacking in and of itself as being in the public interest, it is a way to identify injustice, and she pointed to Aaron Swartz as a pioneer in this regard. She noted the widespread use of anonymous and secure drop-in facilities for whistle-blowers within mainstream media as a positive consequence of Wikileaks.
The discussion on whistleblowing continued in a panel including Greg Glynn of Arthur Cox and Dr TJ McIntyre of UCD. Dr McIntyre noted that the existing whistle-blower protection works once the whistle-blower has self-identified, but that increasing surveillance makes the journey up to that point more fraught and difficult. Dr McIntyre sees the ‘curated’ model of leaks as preferable to the ‘radical transparency’; mass dumps of information as seen in Wikileaks has the potential to cause harm to innocent individuals whose private information is somewhere within the publicised dump. Harrison commented that existing whistle-blower legislation would not protect Edward Snowden, despite the societal contribution he had made at significant personal cost. In considering whether bounty payments for exposure of corruption (similar to those of the SEC and IRS in the US) would be beneficial in the Irish context, Glynn noted that the three motives of whistle-blowers in his experience have been justice, jealousy or revenge, and finally monetary reward, but that by far the most significant is justice. Ultimately, any reward needed to be assessed in the context of the personal devastation that typically results in whistleblowing
Overall Dublin Info Sec 2016 was an excellent event. The diversity of content recognised the breadth of the cybersecurity surface, but never came across as thin in terms of expertise and insight